The Privacy Law Site

* Devoted to Privacy Laws and Regulations since 2005 *

Sunday, October 31, 2010

U. of Hawaii Posted Student Info or a Year

HONOLULU – The Social Security numbers, grades and other personal information of more than 40,000 former University of Hawaii students were posted online for nearly a year before being removed this week, The Associated Press has learned.

University officials told the AP that a faculty member inadvertently uploaded files containing the information to an unprotected server on Nov. 30, 2009, exposing the names, academic performance, disabilities and other sensitive information of 40,101 students who attended the flagship Manoa campus from 1990 to 1998 and in 2001. A handful of students from the West Oahu campus were included in the security breach.

Wednesday, October 27, 2010

FTC Ends Google Street View Inquiry

FEDERAL TRADE COMMISSION

WASH[NGTON. D.C. 20580

October 27, 2010

1201 Third Avenue, Suite 4800

Seattle, WA 98101-3099

Dear Mr. Gidari:

I am writing regarding your client Google's announcement about its collection of consumer data transmitted over unsecured wireless networks. According to Google's announcement, in 2007, the company installed software on its "Street View" cars1 to collect data about consumers' wireless network access points for the purpose of improving its location-based services. Earlier this year, in response to a request from the data protection authority in Hamburg, Germany, Google discovered that the software on the Street View cars had also been collecting some "payload" data contents of communications sent over unsecured wireless networks. The company stated that the collection of payload data was inadvertent and that the company did not use the payload data in any Google product or service.2

FTC staff has concerns about the internal policies and procedures that gave rise to this data collection. As noted above, the company did not discover that it had been collecting payload data until it responded to a request for information from a data protection authority.

This indicates that Google's internal review processes - both prior to the initiation of the project to collect data about wireless access points and after its launch - were not adequate to discover that the software would be collecting payload data, which was not necessary to fulfill the project's business purpose. These review processes are necessary to identify risks to consumer privacy posed by the collection and use of information that is personally identifiable or reasonably linkable to a specific consumer. For any such information, Google should develop and implement reasonable procedures, including collecting information only to the extent necessary to fulfill a business purpose, disposing of the information no longer necessary to accomplish that purpose, and maintaining the privacy and security of information collected andstored.

Chairman Leibowitz highlighted some of these issues in his testimony before the Senate Commerce Committee on July 27,2010.3 As you know, the FTC has undertaken a project to reexamine its approach to consumer privacy in light of changing technologies and business practices.4 During a series of public roundtables, panelists raised concerns about companies' collecting more consumer information than necessary to fulfill a legitimate business need.

A related concern was that companies are storing consumer data for longer periods (at lower cost) and will find new uses for itthat consumers may not have contemplated at the time of collection.

Accordingly, panelists and commenters discussed the need for companies to build strong privacy protections into their products and business operations at the outset.

To this end, we note that Google has recently announced improvements to its internal processes to address some of the concerns raised above, including appointing a director of privacy for engineering and product management; adding core privacy training for key employees; and incorporating a formal privacy review process into the design phases of new initiatives. The company also publicly stated its intention to delete the inadvertently collected payload data as soon as possible.5 Further, Google has made assurances to the FTC that the company has not used and will not use any of the payload data collected in any Google product or service, now or in the future. This assurance is critical to mitigate the potential harm to consumers from the collection of payload data.6 Because of these commitments, we are ending our inquiry into this matter at this time.

We ask that the company continue its dialogue with the FTC about how best to protect consumer privacy as it develops its products and services.

Sincerely,

David C. Vladeck

1 Google's Street View program provide street-level imagery of locations through the company's Google Maps product. The images are collected primarily by Street View cars, which include directional cameras to capture 3600 views, a GPS unit for positioning and laser range scanners. See Google Maps with Street View, Behind the Scenes, available at http://maps.google.comlhelp/maps/streetviewlbehind-the-scenes.htmI#vehicles.

3 See Prepared Statement of the Federal Trade Commission on Consumer Privacy before the Committee on Commerce, Science, and Transportation, United States Senate, at 22 (July 27, 2010), available at http://www.ftc.gov/os/testimony/100727consumerprivacy.pdf.

4 See http://www.ftc.gov/bcp/workshops/privacyroundtables/index.shtml.

Last week, an article in the Wall Street Journal revealed the apparent widespread practice of Facebook applications (or “apps”) transferring users’ personal information to marketing firms and tracking companies. I found the details of the Journal’s article troubling and write this letter to request further information on Facebook’s enforcement efforts with regard to the company’s Privacy Policy.

Facebook’s Privacy Policy makes clear that apps must not share personal information with outside parties. Section 4 states that when users connect to a Facebook app or website, “it will have access to General Information” about users, which includes “names, profile pictures, gender, user IDs, [and] connections.” The policy also declares: “Prior to allowing [applications and websites] to access any information about you, we require them to agree to terms that limit their use of your information (which you can read about in Section 9 of our Statement of Rights and Responsibilities)”. Next, Section 9 of the referenced Statement of Rights and Responsibilities states the requirements and obligations by which “Developers/Operators of Applications and Websites” must abide.

Wednesday, October 20, 2010

Congressmen Send Questions on Privacy to Zuckerberg

Via CNET:Facebook CEO Mark Zuckerberg is, once again, being forced to fend off pointed privacy questions from Washington politicians. In a letter sent this week to the 26-year old executive, two prominent members of the U.S. House of Representatives demanded answers about the company's latest privacy breach, which allowed third party applications to gather personally identifiable information. It's not clear, as CNET noted, that Facebook knew that some of these third-party companies, including extremely popular ones like FarmVille manufacturer Zynga, were allegedly selling data to advertisers and tracking companies in violation of Facebook's terms of use. That was reported by the Wall Street Journal on Monday.

Reps. Ed Markey, a Massachusetts Democrat, and Joe Barton, a Texas Republican, directed their questions at Zuckerberg. They posed 18 questions, including: What guidelines does Facebook have in place for third party applications to protect its users from advertent or inadvertent privacy breaches? And: Please identify the officials within Facebook who are responsible or ensuring that third party applications satisfy Facebook's terms and conditions.

Monday, October 18, 2010

Facebook Breaches Privacy, Wall Street Journal Reports

Facebook Apps Send User Data to Advertisers, WSJ Says

Oct. 18 (Bloomberg) -- Facebook Inc.’s top 10 applications have been transmitting data that can be utilized to identify users to advertising and Internet-tracking firms, the Wall Street Journal reported, citing its own investigation. The applications, known as apps, have been providing users’ “Facebook ID” numbers, which can be used to obtain such information as people’s names, to the third-party companies, the newspaper said today. The apps include Zynga Game Network Inc.’s FarmVille, Texas HoldEm Poker and FrontierVille, it said. Passing on the information, which affects tens of millions of app users, including people who set their profiles to the site’s strictest privacy settings, breaks Facebook’s rules and renews questions about its ability to keep personal information secure, the Journal said.